某考试学习软件破解(爆破)。
本帖最后由 huangshaojian 于 2011-6-18 14:52 编辑本人学习调试软件的时间不是很长,仍在菜鸟阶段,由于不懂汇编,所以不懂算法,平时破解一些小软件都是爆破或试追注册码,但不是100%成功。学破解只是个人兴趣,没有其他目的。前几天朋友说要考试,在某考试网站下了一个软件,但要注册才能使用。于是从朋友那里拷回来,安装看看能不能搞掂,经过分析居然成功了。下面是我的破解过程:
1、安装软件,查壳,发现没有壳,是用Microsoft Visual C# / Basic .NET编写的。
2、运行程序,发现要注册。
3、按注册按钮随意输入注册码进行注册,看看有何提示,发现出现了“激活失败”的提示,有提示就好办了,可以找提示进行修改。
4、打开SimpleAssemblyExplorer载入程序,查找“激活失败”,找到了几个。
5、对找到的代码分析,进行修改,往反的方向修改,一般是这样。
0 L_0000: ldarg.0
1 L_0001: ldfld System.Windows.Forms.TextBox Play_CS.ZC_Form::textBox_A
2 L_0006: callvirt System.String System.Windows.Forms.Control::get_Text()
3 L_000b: callvirt System.String System.String::Trim()
4 L_0010: ldarg.0
5 L_0011: ldfld System.Windows.Forms.TextBox Play_CS.ZC_Form::textBox_B
6 L_0016: callvirt System.String System.Windows.Forms.Control::get_Text()
7 L_001b: callvirt System.String System.String::Trim()
8 L_0020: ldarg.0
9 L_0021: ldfld System.Windows.Forms.TextBox Play_CS.ZC_Form::textBox_C
10 L_0026: callvirt System.String System.Windows.Forms.Control::get_Text()
11 L_002b: callvirt System.String System.String::Trim()
12 L_0030: ldarg.0
13 L_0031: ldfld System.Windows.Forms.TextBox Play_CS.ZC_Form::textBox_D
14 L_0036: callvirt System.String System.Windows.Forms.Control::get_Text()
15 L_003b: callvirt System.String System.String::Trim()
16 L_0040: call System.String System.String::Concat(System.String,System.String,System.String,System.String)
17 L_0045: stloc.0
18 L_0046: ldc.i4.7
19 L_0047: newarr System.String
20 L_004c: stloc.s V_6
21 L_004e: ldloc.s V_6
22 L_0050: ldc.i4.0
23 L_0051: ldarg.0
24 L_0052: ldfld System.Windows.Forms.TextBox Play_CS.ZC_Form::textBox_A
25 L_0057: callvirt System.String System.Windows.Forms.Control::get_Text()
26 L_005c: callvirt System.String System.String::Trim()
27 L_0061: stelem.ref
28 L_0062: ldloc.s V_6
29 L_0064: ldc.i4.1
30 L_0065: ldstr "-"
31 L_006a: stelem.ref
32 L_006b: ldloc.s V_6
33 L_006d: ldc.i4.2
34 L_006e: ldarg.0
35 L_006f: ldfld System.Windows.Forms.TextBox Play_CS.ZC_Form::textBox_B
36 L_0074: callvirt System.String System.Windows.Forms.Control::get_Text()
37 L_0079: callvirt System.String System.String::Trim()
38 L_007e: stelem.ref
39 L_007f: ldloc.s V_6
40 L_0081: ldc.i4.3
41 L_0082: ldstr "-"
42 L_0087: stelem.ref
43 L_0088: ldloc.s V_6
44 L_008a: ldc.i4.4
45 L_008b: ldarg.0
46 L_008c: ldfld System.Windows.Forms.TextBox Play_CS.ZC_Form::textBox_C
47 L_0091: callvirt System.String System.Windows.Forms.Control::get_Text()
48 L_0096: callvirt System.String System.String::Trim()
49 L_009b: stelem.ref
50 L_009c: ldloc.s V_6
51 L_009e: ldc.i4.5
52 L_009f: ldstr "-"
53 L_00a4: stelem.ref
54 L_00a5: ldloc.s V_6
55 L_00a7: ldc.i4.6
56 L_00a8: ldarg.0
57 L_00a9: ldfld System.Windows.Forms.TextBox Play_CS.ZC_Form::textBox_D
58 L_00ae: callvirt System.String System.Windows.Forms.Control::get_Text()
59 L_00b3: callvirt System.String System.String::Trim()
60 L_00b8: stelem.ref
61 L_00b9: ldloc.s V_6
62 L_00bb: call System.String System.String::Concat(System.String[])
63 L_00c0: stloc.1
64 L_00c1: ldarg.0
65 L_00c2: ldfld Play_CS.DataLayer Play_CS.ZC_Form::dl
66 L_00c7: ldloc.0
67 L_00c8: callvirt System.Boolean Play_CS.DataLayer::checkEnglish(System.String)
68 L_00cd: brfalse 163 -> ldstr "无此注册码!"
69 L_00d2: ldarg.0
70 L_00d3: ldfld Play_CS.DataLayer Play_CS.ZC_Form::dl
71 L_00d8: ldloc.1
72 L_00d9: callvirt System.Boolean Play_CS.DataLayer::check_pkey_jh(System.String)
73 L_00de: brfalse 149 -> ldstr "激活失败!"
74 L_00e3: ldarg.0
75 L_00e4: ldfld Play_CS.DataLayer Play_CS.ZC_Form::dl
76 L_00e9: ldloc.1
77 L_00ea: callvirt System.Boolean Play_CS.DataLayer::insert_setlog(System.String)
78 L_00ef: brfalse 135 -> ldstr "激活失败!"
79 L_00f4: ldloc.1
80 L_00f5: stsfld System.String Play_CS.Ticket::key
81 L_00fa: ldc.i4.5
82 L_00fb: newarr System.String
83 L_0100: stloc.s V_7
84 L_0102: ldloc.s V_7
85 L_0104: ldc.i4.0
86 L_0105: ldsfld System.String Play_CS.Ticket::cpuid
87 L_010a: stelem.ref
88 L_010b: ldloc.s V_7
89 L_010d: ldc.i4.1
90 L_010e: ldstr "$"
91 L_0113: stelem.ref
92 L_0114: ldloc.s V_7
93 L_0116: ldc.i4.2
94 L_0117: ldsfld System.String Play_CS.Ticket::hdd
95 L_011c: stelem.ref
96 L_011d: ldloc.s V_7
97 L_011f: ldc.i4.3
98 L_0120: ldstr "$"
99 L_0125: stelem.ref
100 L_0126: ldloc.s V_7
101 L_0128: ldc.i4.4
102 L_0129: ldsfld System.String Play_CS.Ticket::mac
103 L_012e: stelem.ref
104 L_012f: ldloc.s V_7
105 L_0131: call System.String System.String::Concat(System.String[])
106 L_0136: stloc.2
107 L_0137: ldarg.0
108 L_0138: ldfld Play_CS.SymmetricMethod Play_CS.ZC_Form::sm
109 L_013d: ldloc.2
110 L_013e: callvirt System.String Play_CS.SymmetricMethod::DESEncrypt(System.String)
111 L_0143: stloc.3
112 L_0144: ldarg.0
113 L_0145: ldfld Play_CS.SymmetricMethod Play_CS.ZC_Form::sm
114 L_014a: ldsfld System.String Play_CS.Ticket::key
115 L_014f: callvirt System.String Play_CS.SymmetricMethod::DESEncrypt(System.String)
116 L_0154: stloc.s V_4
117 L_0156: ldarg.0
118 L_0157: ldfld Play_CS.DataLayer Play_CS.ZC_Form::dl
119 L_015c: ldstr "key.data"
120 L_0161: ldloc.3
121 L_0162: callvirt System.Void Play_CS.DataLayer::WriteLog(System.String,System.String)
122 L_0167: ldarg.0
123 L_0168: ldfld Play_CS.DataLayer Play_CS.ZC_Form::dl
124 L_016d: ldstr "knum.data"
125 L_0172: ldloc.s V_4
126 L_0174: callvirt System.Void Play_CS.DataLayer::WriteLog(System.String,System.String)
127 L_0179: ldarg.0
128 L_017a: ldfld Play_CS.loding Play_CS.ZC_Form::ldi
129 L_017f: ldc.i4.2
130 L_0180: callvirt System.Void System.Windows.Forms.Form::set_DialogResult(System.Windows.Forms.DialogResult)
131 L_0185: ldarg.0
132 L_0186: ldc.i4.1
133 L_0187: call System.Void System.Windows.Forms.Form::set_DialogResult(System.Windows.Forms.DialogResult)
134 L_018c: br.s 176 -> leave.s 193 -> ret
135 L_018e: ldstr "激活失败!"
136 L_0193: ldstr "错误提示!"
137 L_0198: ldc.i4.0
138 L_0199: ldc.i4.s 0x10
139 L_019b: call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String,System.Windows.Forms.MessageBoxButtons,System.Windows.Forms.MessageBoxIcon)
140 L_01a0: pop
141 L_01a1: ldarg.0
142 L_01a2: ldfld Play_CS.loding Play_CS.ZC_Form::ldi
143 L_01a7: ldc.i4.2
144 L_01a8: callvirt System.Void System.Windows.Forms.Form::set_DialogResult(System.Windows.Forms.DialogResult)
145 L_01ad: ldarg.0
146 L_01ae: ldc.i4.7
147 L_01af: call System.Void System.Windows.Forms.Form::set_DialogResult(System.Windows.Forms.DialogResult)
148 L_01b4: br.s 176 -> leave.s 193 -> ret
149 L_01b6: ldstr "激活失败!"
150 L_01bb: ldstr "错误提示!"
151 L_01c0: ldc.i4.0
152 L_01c1: ldc.i4.s 0x10
153 L_01c3: call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String,System.Windows.Forms.MessageBoxButtons,System.Windows.Forms.MessageBoxIcon)
154 L_01c8: pop
155 L_01c9: ldarg.0
156 L_01ca: ldfld Play_CS.loding Play_CS.ZC_Form::ldi
157 L_01cf: ldc.i4.2
158 L_01d0: callvirt System.Void System.Windows.Forms.Form::set_DialogResult(System.Windows.Forms.DialogResult)
159 L_01d5: ldarg.0
160 L_01d6: ldc.i4.7
161 L_01d7: call System.Void System.Windows.Forms.Form::set_DialogResult(System.Windows.Forms.DialogResult)
162 L_01dc: br.s 176 -> leave.s 193 -> ret
163 L_01de: ldstr "无此注册码!"
164 L_01e3: ldstr "错误提示!"
165 L_01e8: ldc.i4.0
166 L_01e9: ldc.i4.s 0x10
167 L_01eb: call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String,System.Windows.Forms.MessageBoxButtons,System.Windows.Forms.MessageBoxIcon)
168 L_01f0: pop
169 L_01f1: ldarg.0
170 L_01f2: ldfld Play_CS.loding Play_CS.ZC_Form::ldi
171 L_01f7: ldc.i4.2
172 L_01f8: callvirt System.Void System.Windows.Forms.Form::set_DialogResult(System.Windows.Forms.DialogResult)
173 L_01fd: ldarg.0
174 L_01fe: ldc.i4.7
175 L_01ff: call System.Void System.Windows.Forms.Form::set_DialogResult(System.Windows.Forms.DialogResult)
176 L_0204: leave.s 193 -> ret
177 L_0206: stloc.s V_5
178 L_0208: ldloc.s V_5
179 L_020a: callvirt System.String System.Exception::get_Message()
180 L_020f: ldstr "错误提示!"
181 L_0214: ldc.i4.0
182 L_0215: ldc.i4.s 0x10
183 L_0217: call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String,System.Windows.Forms.MessageBoxButtons,System.Windows.Forms.MessageBoxIcon)
184 L_021c: pop
185 L_021d: ldarg.0
186 L_021e: ldfld Play_CS.loding Play_CS.ZC_Form::ldi
187 L_0223: ldc.i4.2
188 L_0224: callvirt System.Void System.Windows.Forms.Form::set_DialogResult(System.Windows.Forms.DialogResult)
189 L_0229: ldarg.0
190 L_022a: ldc.i4.7
191 L_022b: call System.Void System.Windows.Forms.Form::set_DialogResult(System.Windows.Forms.DialogResult)
192 L_0230: leave.s 193 -> ret
193 L_0232: ret
.try0 0 to 177 Catch handler catch(System.Exception) 177 to 193
懂得汇编的朋友就会看到,注册成功与否是看有没有"key.data"和"knum.data"文件,也就是通过这两个文件来判断注册的,注册成功会生成这两个文件。
119 L_015c: ldstr "key.data"
120 L_0161: ldloc.3
121 L_0162: callvirt System.Void Play_CS.DataLayer::WriteLog(System.String,System.String)
122 L_0167: ldarg.0
123 L_0168: ldfld Play_CS.DataLayer Play_CS.ZC_Form::dl
124 L_016d: ldstr "knum.data"
往上看代码,发现两个 "激活失败!"这个应该是比较生成"key.data"和"knum.data"文件的地方,把它往反的方向修改
73 L_00de: brfalse 149 -> ldstr "激活失败!"--------------改成brtrue
74 L_00e3: ldarg.0
75 L_00e4: ldfld Play_CS.DataLayer Play_CS.ZC_Form::dl
76 L_00e9: ldloc.1
77 L_00ea: callvirt System.Boolean Play_CS.DataLayer::insert_setlog(System.String)
78 L_00ef: brfalse 135 -> ldstr "激活失败!"---------------改成brtrue
修改完成后,保存,试运行,可以激活成功了,没有功能限制。
但是每次运行时会出现,按确定后会删掉生成的"key.data"和"knum.data"文件,又要重新注册。于是查找提示的"注册码错误"的地方。找到
0 L_0000: ldarg.0
1 L_0001: ldarg.0
2 L_0002: ldfld Play_CS.DataLayer Play_CS.Start::dl
3 L_0007: callvirt System.String Play_CS.DataLayer::ZJkey()
4 L_000c: stfld System.String Play_CS.Start::zjxx_bj
5 L_0011: ldarg.0
6 L_0012: ldfld System.String Play_CS.Start::zjxx_bj
7 L_0017: ldstr ""
8 L_001c: call System.Boolean System.String::op_Inequality(System.String,System.String)
9 L_0021: brfalse.s 52 -> ldstr "key.data"
10 L_0023: ldarg.0
11 L_0024: ldfld System.String Play_CS.Start::zjxx_bj
12 L_0029: ldc.i4.1
13 L_002a: newarr System.Char
14 L_002f: stloc.s V_4
15 L_0031: ldloc.s V_4
16 L_0033: ldc.i4.0
17 L_0034: ldc.i4.s 0x24
18 L_0036: stelem.i2
19 L_0037: ldloc.s V_4
20 L_0039: callvirt System.String[] System.String::Split(System.Char[])
21 L_003e: ldc.i4.0
22 L_003f: ldelem.ref
23 L_0040: stsfld System.String Play_CS.Ticket::cpuid
24 L_0045: ldarg.0
25 L_0046: ldfld System.String Play_CS.Start::zjxx_bj
26 L_004b: ldc.i4.1
27 L_004c: newarr System.Char
28 L_0051: stloc.s V_5
29 L_0053: ldloc.s V_5
30 L_0055: ldc.i4.0
31 L_0056: ldc.i4.s 0x24
32 L_0058: stelem.i2
33 L_0059: ldloc.s V_5
34 L_005b: callvirt System.String[] System.String::Split(System.Char[])
35 L_0060: ldc.i4.1
36 L_0061: ldelem.ref
37 L_0062: stsfld System.String Play_CS.Ticket::hdd
38 L_0067: ldarg.0
39 L_0068: ldfld System.String Play_CS.Start::zjxx_bj
40 L_006d: ldc.i4.1
41 L_006e: newarr System.Char
42 L_0073: stloc.s V_6
43 L_0075: ldloc.s V_6
44 L_0077: ldc.i4.0
45 L_0078: ldc.i4.s 0x24
46 L_007a: stelem.i2
47 L_007b: ldloc.s V_6
48 L_007d: callvirt System.String[] System.String::Split(System.Char[])
49 L_0082: ldc.i4.2
50 L_0083: ldelem.ref
51 L_0084: stsfld System.String Play_CS.Ticket::mac
52 L_0089: ldstr "key.data"
53 L_008e: call System.Boolean System.IO.File::Exists(System.String)
54 L_0093: brfalse 109 -> newobj System.Void Play_CS.TestFm::.ctor()
55 L_0098: ldarg.0
56 L_0099: ldfld Play_CS.SymmetricMethod Play_CS.Start::sm
57 L_009e: ldarg.0
58 L_009f: ldfld Play_CS.DataLayer Play_CS.Start::dl
59 L_00a4: ldstr "key.data"
60 L_00a9: callvirt System.String Play_CS.DataLayer::readlog(System.String)
61 L_00ae: callvirt System.String Play_CS.SymmetricMethod::Decrypto(System.String)
62 L_00b3: stloc.0
63 L_00b4: ldarg.0
64 L_00b5: ldfld System.String Play_CS.Start::zjxx_bj
65 L_00ba: ldloc.0
66 L_00bb: call System.Boolean System.String::op_Equality(System.String,System.String)
67 L_00c0: brfalse.s 106 -> ldarg.0
68 L_00c2: ldc.i4.0
69 L_00c3: stloc.1
70 L_00c4: ldarg.0
71 L_00c5: ldfld Play_CS.SymmetricMethod Play_CS.Start::sm
72 L_00ca: ldarg.0
73 L_00cb: ldfld Play_CS.DataLayer Play_CS.Start::dl
74 L_00d0: ldstr "knum.data"
75 L_00d5: callvirt System.String Play_CS.DataLayer::readlog(System.String)
76 L_00da: callvirt System.String Play_CS.SymmetricMethod::Decrypto(System.String)
77 L_00df: stsfld System.String Play_CS.Ticket::key
78 L_00e4: ldarg.0
79 L_00e5: ldfld Play_CS.DataLayer Play_CS.Start::dl
80 L_00ea: ldsfld System.String Play_CS.Ticket::key
81 L_00ef: callvirt System.Boolean Play_CS.DataLayer::check_pkey_jh(System.String)
82 L_00f4: stloc.1
83 L_00f5: leave.s 88 -> ldloc.1
84 L_00f7: pop
85 L_00f8: ldarg.0
86 L_00f9: call System.Void Play_CS.Start::start()
87 L_00fe: leave.s 130 -> ret
88 L_0100: ldloc.1
89 L_0101: brfalse.s 93 -> ldstr "注册码错误"
90 L_0103: ldarg.0
91 L_0104: call System.Void Play_CS.Start::start()
92 L_0109: br.s 120 -> leave.s 130 -> ret
93 L_010b: ldstr "注册码错误"
94 L_0110: ldstr "错误提示!"
95 L_0115: ldc.i4.0
96 L_0116: ldc.i4.s 0x10
97 L_0118: call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String,System.Windows.Forms.MessageBoxButtons,System.Windows.Forms.MessageBoxIcon)
98 L_011d: pop
99 L_011e: ldstr "key.data"
100 L_0123: call System.Void System.IO.File::Delete(System.String)
101 L_0128: ldstr "knum.data"
102 L_012d: call System.Void System.IO.File::Delete(System.String)
103 L_0132: ldarg.0
104 L_0133: call System.Void Play_CS.Start::clo()
105 L_0138: br.s 120 -> leave.s 130 -> ret
106 L_013a: ldarg.0
107 L_013b: call System.Void Play_CS.Start::show_zcfm()
108 L_0140: br.s 120 -> leave.s 130 -> ret
109 L_0142: newobj System.Void Play_CS.TestFm::.ctor()
110 L_0147: stloc.2
111 L_0148: ldloc.2
112 L_0149: callvirt System.Windows.Forms.DialogResult System.Windows.Forms.Form::ShowDialog()
113 L_014e: ldc.i4.2
114 L_014f: bne.un.s 118 -> ldarg.0
115 L_0151: ldarg.0
116 L_0152: call System.Void Play_CS.Start::clo()
117 L_0157: br.s 120 -> leave.s 130 -> ret
118 L_0159: ldarg.0
119 L_015a: call System.Void Play_CS.Start::start()
120 L_015f: leave.s 130 -> ret
121 L_0161: stloc.3
122 L_0162: ldloc.3
123 L_0163: callvirt System.String System.Exception::get_Message()
124 L_0168: ldstr "错误提示!"
125 L_016d: ldc.i4.0
126 L_016e: ldc.i4.s 0x10
127 L_0170: call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String,System.Windows.Forms.MessageBoxButtons,System.Windows.Forms.MessageBoxIcon)
128 L_0175: pop
129 L_0176: leave.s 130 -> ret
130 L_0178: ret
.try0 70 to 84 Catch handler catch(System.Object) 84 to 88
.try1 0 to 121 Catch handler catch(System.Exception) 121 to 130
发现了检验"key.data"和"knum.data"文件的地方,修改保存。
88 L_0100: ldloc.1
89 L_0101: brfalse.s 93 -> ldstr "注册码错误"------------修改成brtrue
90 L_0103: ldarg.0
91 L_0104: call System.Void Play_CS.Start::start()
92 L_0109: br.s 120 -> leave.s 130 -> ret
93 L_010b: ldstr "注册码错误"
94 L_0110: ldstr "错误提示!"
95 L_0115: ldc.i4.0
96 L_0116: ldc.i4.s 0x10
97 L_0118: call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String,System.Windows.Forms.MessageBoxButtons,System.Windows.Forms.MessageBoxIcon)
98 L_011d: pop
99 L_011e: ldstr "key.data"
100 L_0123: call System.Void System.IO.File::Delete(System.String)
101 L_0128: ldstr "knum.data"
经过修改终于不用每次都注册了,可以正常使用了。终于爆破成功了。 不错,感谢分享,哈哈 前排学习! Simple Assembly Explorer 1.10.1.7 这个工具不错,很实用。 谢谢你的分享。 问一下,学习修改。net程序,需要学习一些什么东西? 谢谢提供,说得挺详细的! 学习一下 很精彩,学习了。 楼主威武 Simple Assembly Explorer 1.10.1.7这个工具还是第一次听说
页:
[1]
2